Skip to content

Microsoft.Authorization/locks/delete

Azure

Microsoft.Authorization/locks/delete

service: Azure - Authorization
techniques:

Event

Deletes a resource lock, removing protection against deletion or modification of critical resources.

Security Context

  • Resource locks are a safeguard that prevents accidental or malicious deletion and modification of critical Azure resources; removing them is a prerequisite for destructive actions.
  • Adversaries delete resource locks to clear the path for resource deletion, configuration changes, or data destruction that would otherwise be blocked by the lock.

Log Source

Azure Activity Log

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud deletes the prod-cannotdelete lock on the production resource group rg-fantasticlogs-prod. The lock was preventing destructive ARM operations on every resource in the RG; removing it is the prerequisite step before deleting VMs, snapshots, log analytics workspaces, etc. (see Microsoft.Compute/virtualMachines/delete later in this batch).

{
"authorization": {
"action": "Microsoft.Authorization/locks/delete",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Authorization/locks/prod-cannotdelete"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud"
},
"correlationId": "90000000-0000-4000-8000-000001111000",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000001111001",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T20:14:08.7172948Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Authorization/locks/prod-cannotdelete/events/90000000-0000-4000-8000-000001111001/ticks/638798194487172948",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000001111010",
"operationName": {
"value": "Microsoft.Authorization/locks/delete",
"localizedValue": "Delete management lock"
},
"resourceGroupName": "rg-fantasticlogs-prod",
"resourceProviderName": {
"value": "Microsoft.Authorization",
"localizedValue": "Microsoft.Authorization"
},
"resourceType": {
"value": "Microsoft.Authorization/locks",
"localizedValue": "Microsoft.Authorization/locks"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Authorization/locks/prod-cannotdelete",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T20:14:09.2018844Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Authorization/locks/prod-cannotdelete",
"message": "Microsoft.Authorization/locks/delete",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": [],
"httpRequest": {
"clientRequestId": "90000000-0000-4000-8000-000001111011",
"clientIpAddress": "203.0.113.66",
"method": "DELETE",
"url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Authorization/locks/prod-cannotdelete?api-version=2020-05-01"
},
"identity": null
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...